►
From YouTube: CNCF SIG-Security Meeting - 2019-08-07
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
B
A
C
You
know
that
was
that
was
really.
You
know.
Why
is
like
paid
special
attention
to
it,
but
what
securityq?
Now
it's
the
kubernetes
and
yeah
like
we've
done
with
you,
know,
policy,
group
and
other
groups.
We
want
to
you
know,
establish
relationship
maintained,
especially
with
kubernetes.
As
you
know,
one
of
the
key
projects
in
the
scene
CF.
We
want
to
make
sure
that
we
stay
aligned
with
that.
C
It
right
yep,
no
we're
not
okay,
all
right!
Well,
so
I'm
back
this
week
and
I'll
be
sharing
throughout
August
during
the
meetings
still
carrying
the
groupie
group,
I've
been
tied
up
with
some
work
stuff
and
as
soon
as
we
remove
this
to
our
10:00
a.m.
Pacific
time,
you
know
the
hordes
came,
and
that
became
a
really
tough
time
for
me.
C
So
I've
been
like
duty
during
meeting
times
month
or
so,
and
we
really
appreciate
Sarah
carrying
everything
forward,
and
you
know
excuse
me
today
if
you
know
I'm
connecting
context
and
you
know
getting
back
up
to
speed,
please
smack
me
around
and
we'll
get
everything
back
on
track
all
right.
So
let's
go
and
do
check-ins
I
can
do
that
as
my
chicken
and
I
will
hand
off
next
to
Justin.
C
D
D
D
You
know
there
to
be
a
forcing
function
to
cause
the
last
like
couple
hours
of
work
to
happen
and
by
the
way,
I'm
pointing
the
finger
squarely
at
myself
and
and
a
little
less
squarely
at
the
the
OPA
folks
there.
But
we
we
really
just
need
to
round
that
off
and
having
some
kind
of
forcing
function.
I
think
is
a
necessity
because
we
haven't
been
able
to
make
it
happen.
Otherwise,
I.
D
There
was
some
resistance
to
have
it
go
in
immediately
into
incubating
there's
a
thought
that
our
adoption
and
governance,
those
two
things-
can
be
improved
and
we
didn't
know
what
the
vote
would
be
if
we
pushed
with
incue
bation,
but
we
basically
knew
it
would
pass
in
sandbox
and
we've
also
been
encouraged
that
we
are
very
likely
to
transition
to
incubating
before
kuchen
in
november.
Assuming
that
we
actually
document
our
governance
and
adoption
and
a
in
the
way
we
should
have.
You
know
probably
done
before
we
put
our
proposal
in.
C
A
I
think
do
we
we
don't.
However,
we
have
documented
that
the
TOC
we
may
do
security
assessments
that
are
not
a
priority
for
the
TOC,
because
the
TOC
hasn't
prioritized
something
and
we
think
some
projects.
You
know
it
would
be
beneficial
to
the
membership
in
the
community.
If
we
did
a
security
assessment
of
a
particular
project,
they
may
not.
A
Remember
the
conversation
it
was
like
for
the
annual
updates,
like
there's
gonna,
be
some
activities
where
it's
just
not
going
to
matter
and
they're
gonna
be
like
we're
busy
this
month
right
and
they
don't
need
a
presentation
so,
but
I
really
think
that
putting
a
date
editing
of
it
and
it
was
a
forcing
function
for
in
toto
I,
particularly
like
particularly
in
getting
me
to
finalize
things,
but
also
just
I.
Think
for
everybody.
Oh
there's
a
meeting
coming
up.
Everybody
get
your
stuff
in.
A
E
A
D
C
A
C
The
next
for
the
next
step,
since
we
don't
have
that
and
we
want
to
you-
know,
get
that
started.
You
know,
but
let's
ask
for
a
meeting,
and
you
know
with
with
the
intent
of
getting
the
meeting
together.
You
know
letting
them
give
the
opportunity
to
land
that
in
the
TOC
or
you
know
if,
if
they
can't
pull
it
all
the
way
into
the
TOC
base
and
they're
scheduled
to
you
know,
engage
for
them.
C
I
think
we
eventually
will
be
able
to
do
it
through
github
issues,
but
ultimately
we
need
to
force
a
meeting
with
the
the
representatives
and
get
to
the
TOC.
So
until
we
have
the
process
with
the
TOC
and
you
know
we're
PR
and
something
to
TOC
meeting,
you
know
the
my
big
takeaway
is
you
know
the
forcing
function
needs
to
be.
You
know,
completion
to
the
TFC,
and
you
know
five
and
all
you
read
out
there
and
not
just
you
know
we're
signed
off
we're
done
and
you
know
it
stays
in
six
security.
A
Yeah
and
I
think
I
think.
The
key
thing
is
that
it's
not
forcing
like
we're
not
forcing
a
meeting
upon
them.
We
are
giving
them
an
opportunity
to
hear
our
findings
or
choose
to
hear
them
asynchronously
and
we're
just
asking
if
Joe
and
Liz
would
that
we
would
appreciate
a
review
with
Joe
and
Liz.
That's
live
and
how
do
they
want
to
hit
that?
But
I
think
particularly
like
there's
the
process
right
that
we
want
to
propose
going
forward
and
then
there's
like
hey
we're
almost
on
the
sofa
assessment.
A
F
H
I
Everybody
Underwood
with
synchrony
and
NIST,
and
whatever
else
nothing
really
fancy
this
week,
we're
we're
in
the
middle
of
a
summer
long
project
to
try
to
figure
out
how
to
build
models
that
work
with
the
miter
attack
frameworks.
People
that
are
you
know
in
the
ontology
space
might
be
interested
in
that,
but
I
don't
see
any
deliverables
for
that
till
probably
next
next
calendar
year
probably
end
of
next
semester,
because
I
have
an
academic
helping
me
with
that
in
a.
J
Presented
attack,
trees
and
threat
model
stuff
that
we've
been
working
on
to
the
financial
services
group
and
discussed
with
Cheryl,
where
to
host
that
in
the
interim.
So
we're
looking
at
putting
that
in
the
financial
services
bucket
and
also
discussed
some
of
the
security
training
material
that
we'd
put
together
and
did
a
bit
of
demonstration
on
that.
J
Also
had
a
conversation
with
Clyde
see
purse
ad
from
the
Linux
Foundation
he's
interested
in
putting
together
some
container
security,
training
and
I
suggested
he
reach
out
to
this
forum
to
to
make
that
request
and
perhaps
get
people
involved.
If,
if
that
is
really
where
he's
looking
to
go
so
I
think
he'll
be
in
touch.
J
Her
very
little
initial
incubation
I
just
asked
him,
but
I
think
you
know
it
sounds
like
something
that
should
be
going
towards
the
security
sick.
So
you
know
maybe
put
something
formal
together
and
sent
her
an
email
to
chairs
and
perhaps
present
it
in
this
meeting,
but
it
sounded
like
it
was
a
similar
intent
to
I
know
that
there's
I
think
it
was
Michael
was
putting
together
a
book
and
there's
been
conversations
about
doing
some
additional
training
material
sounds
very
similar,
so
perhaps
they
can
connect
the
two
together
great.
E
N
E
N
E
A
B
A
P
C
Yeah,
just
you
know,
as
we
saw
with
the
security
assessments,
raise
your
hand,
and
you
know,
even
if
there's
an
area
where
there
isn't
currently
organized
activity.
If
you
like,
there's
a
space
in
here
that
you
know
I'd
like
to
to
explore,
and
you
want
to
raise
your
hand
for
that-
please
don't
don't
limit
yourself
to
only
that
the
current
structures
we
have.
P
O
Not
directly
on
the
take,
but
might
be
interesting
once
I
can
get
some
things
ran
up,
I've
been
doing
a
lot
of
work.
This
work
this
week
on
researching
civilus
security,
so
I'm
going
to
try
and
write
a
but
yeah.
It's
basically
the
work
when
it's
right
right
up
a
bunch
of
stuff,
so
I
can
share
more
probably
more
related
to
the
sig
I'm
being
joining
about
getting
involved
in
setting
up
the
app
delivery
sig,
which
has
now
got
a
charter
up
in
front
of
the
TRC.
O
Some
conversations
around
that
I
explicitly
added
the
after
some
conversations,
the
security
sig
in
reference
to
that
and
I
think
there's.
One
of
the
things
that
that
sig
is
interested
in
doing
is
providing
advice
and
guidance
on
development
practices.
It
would
be
very
bad
if
the
CN
CF
branded
advice
and
guidance
was
fundamentally
insecure.
O
This
SIG
of
obviously
has
a
whole
bunch
of
people
that
would
act
as
a
really
good
review
of
some
of
that
guidance
and
so
I
added
something
to
their
Chartreux
conversation
that
in
attending
that
and
this
that
also
kicked
a
conversation
off
that
I
post
to
the
TSE
list.
I
think
Sarah
responded
as
well
about
like
where
we're
publishing
things
and
I
think
both
this
sig
and
the
proposed
a
delivery.
One
will
be
doing
so.
O
It's
probably
worth
having
some
standards
and
guidance
around
just
being
upfront
about
who
we
work
for
and
who
we
are
in
our
biases.
They
exist.
That's
fine,
we're
all
trying
to
make
things
better
at
the
same
time
as
getting
paid
by
someone
badly.
The
more
I
think
we
can
be
transparent
about
that,
the
better
so
yeah
there's
a
conversation
going
on
on
the
Keirsey
mailing
list
about
that
at
the
moment,.
C
O
O
C
Great
yeah
I'd
love
to
connect
the
dots
to
that
effort.
You
know
with
with
serve
list
as
well,
but
unfortunately
dropped
a
bit
off
off
my
radar
personally
to
to
even
share
back
what
what's
what's
going
on
there
or
manage
expectations
on
the
other
end.
But
you
know,
oh
of
course,
there's
the
the
security
lens.
It'd
be
great.
If
you
know
we
could
connect
that
back
to
that
group
as
well.
So
like
you're
doing
with
with
you
know
the
app
group,
you
know,
the
the
security
context
would
roll
into
that
as
well.
F
C
R
Sure
so
JJ
Amy
and
I
met.
Yesterday
we
decided
to
push
the
date
of
the
cfd
back
a
little
bit
because
Amy
I'm,
sorry
Emily
from
the
CNC
up,
was
on
vacation
and
we
weren't
able
to
get
out
the
CFD
as
quickly
as
we
wanted
to.
There
were
a
few
other
outstanding
issues
that
we
needed
to
resolve
as
a
team,
so
I
think
we're
gonna.
Have
it
closed
the
Friday
after
Kuk
on
schedule
as
announced,
and
then
that
way
we
give
the
opportunity
to
people
to
recycle
talks.
R
That's
worked
really
well
for
the
cloud
native
rejects
conference
from
so
we're
just
trying
to
emulate
what
that
successful
conference
is
already
doing,
and
then
amy
is
also
going
to
work
with
the
people
in
that
ciencia
to
get
the
website
up
for
the
event
as
well.
So
we
can
start
promoting
it.
A
little
bit
more
I'm.
R
Great
continue,
sorry
and
then
outside
of
that
I've
just
been
in
Minneapolis
over
the
last
couple
days.
I
did
a
security
workshop
on
Falco,
which
was
had
about
80
people
in
it,
so
pretty
well,
attended.
C
C
All
right,
so,
let's
go
ahead
and
get
into
it.
So
we
have
three
topics
that
we're
gonna
cover
the
TOC
call
notary
project
and
security
assessments,
conflict
of
interest
ashes,
adding
furiously
to
that
I
guess
I'm
taking
notes
is
so
TOC
call.
Unfortunately,
I
couldn't
make
the
the
call
yesterday
it
was
anyone
able
to
to
join
there
and
would
that
you
be
willing
to
recap.
The
events
exciting
happen
to.
E
Be
all
missing,
I
was
on
the
call
is
today
I
think
the
the
main
things
that
I
remember
these
relevant
is
like
is
they
they
talked
about
the
co-located
event,
so
the
scenes
there
security
being
was
part
of
that,
and
then
they
talked
about
in
toto
status
in
terms
of
sandboxing
and
probably
to
move
to
incubating
soon
I.
E
Think
of
this
and
Michelle
look
at
that
sponsor
that,
and
then
we
had
quite
a
bit
of
discussion
around
the
know,
barista,
which
I
think
we
can
I
guess
we
can
talk
more
about
that
in
the
next
point.
Yeah
I
think
that
was
the
relevant
stuff
for
the
sake,
but.
A
What
about
the
the
app
delivery
sig
was
the
discussion
of
that
Garris?
Were
you
there
at
the
on
the
call
or
I.
E
Q
Is
Amy
I
can
speak
toward
some
of
this
app
delivery
is
currently
taking
another
three
to
four
weeks
or
so
to
being
able
to
finalize
and
out
of
that
call
the
server
this
working
group
will
be
likely
under
the
Act
delivery.
The
reason
I'm
saying
likely
is
because
again
it's
not
all
approved,
but
there
if
you'd,
like
I,
am
happy
to
be
able
to
post
these
slides
into
the
meeting
notes.
Would
that
be
helpful?
That
would
let
me
just
do
so.
A
Q
It
okay
yeah,
there's
their
slides,
everything
was
talked
about,
is
listening.
The
slides,
yeah
happy
to
help.
C
Q
C
No,
like
I
just
feel
like
you
know,
I
had
a
pulse
on
the
service
working
group
and
how
we
can
engage
there
and
I
lost
that
pulse,
but
it
sounds
like
they're.
You
know
also
you're
kind
of
finding
their
their
way
and
in
the
world
right
now
so
yeah,
that's
all
I
wanted
to
see
who
the
folks
are.
That
can
you
know,
be
sharing
that
context
out,
and
you
know
if
we
had
any
mechanism
to
support.
A
And
I
could
just
chime
in
a
little
bit
like
since
I
was
involved
in
the
service
working
group
and
when
we
all
decided
to
focus
that
we
wanted
a
cloud
event
standard
or
specification,
because
we
don't
do
standards
that
the
server
was
working.
You've
decided
that
that
would
be
the
main
thing
the
service
working
group
did,
and
so
for
a
long
time.
It
was
just
a
thing
that
the
service
working
group
was
doing
and
then
when
it
became
a
CN
CF
project.
Basically
it's
the
project
of
the
it's.
What
the
service
working
group
is
doing.
A
So
the
service
working
group
has
been
fairly
dormant
for
some
time
or
very
active,
depending
on
how
you
think
about
it,
and
so
so
yeah
I
made
some
comments
on
the
app
delivery
proposal.
That
my
expectation
was
that
the
circle
is
working
would
be
then
part
of
app
delivery
right.
It
would
be
subsumed
by
or
a
subsidiary
or
something
and
so
I
think
that's
still
being
discussed
about
exactly
how
that
works.
A
But
Gareth
is
coming
and
over
the
last
few
weeks,
it's
in
the
notes,
like
some
chimed
in
on
how
we
would
work
together
and
I.
Think
it's
very
exciting
to
me
to
hear
that,
like.
Oh,
the
app
people
do
want
to
make
sure
that
there
are
security
recommendations
in
the
app
things
you
know
and
the
guidelines,
and
so
we've
talked
about,
collaborating
there,
but
haven't
kind
of
formalized
it
and
totally
become
their
own
sink.
C
D
I
think
there's
a
couple
ways
to
look
at
it
and
I'm
trying
to
be
as
like.
Given
this
is
a
recorded
call,
that's
gonna
end
up
on
YouTube,
but
all
I'll
say
it
this
way,
so
I
think
Charles
Richard,
who
I
don't
know,
has
looked
at
some
statistics
and
I
think
extrapolated
quite
a
bit
from
them
in
a
way
that
I
think,
at
least
from
my
perspective,
is
the
reason
why
you
don't
just
look
at
statistics,
because
the
the
view
is.
Is
that
rocket
as
a
project
truck
is
avodah
yeah
I?
D
Don't
I,
don't
know
who
he
is,
but
the
view
is
that
rocket
as
a
project
hadn't
been
actively
maintained.
It
had
a
bunch
of
open
security
issues.
It
had
a
bunch
of
problems
with
it,
so
notary,
if
you
look
at
certain
statistics,
doesn't
isn't
of
course
anywhere
near
as
bad
as
rocket
but
looks
closer
to
rocket.
Then
you
know
then
like
to
kubernetes
or
or
other
very
healthy
active
projects,
but
I
think
that
doesn't
really
tell
the
right
story.
D
As
a
couple
of
people
argued
below,
including
myself,
you
know
when
you
have
a
project
that
security
sensitive
and
is
very
stable,
and
you
know
we
do
not
add
features
and
things
to
tough,
very
frequently.
We
we
do
this,
you
know
very
conservatively,
make
changes
to
the
tough
spec,
and
so
as
a
result,
projects
like
notary
are
also
tend
to
be
very
conservative
about
code
changes
and
things
they
add
and
I.
D
Think
that
you
know
just
my
personal
opinion
on
this
is
that
that
things
are
being
a
bit
conflated
here,
that
there's
too
much
that
the
original
poster
put
a
little
too
much
emphasis
on
that
as
myself,
Santiago
just
in
Cormack
and
I,
think
someone
else
also
posted
below
which,
ironically
it's
you
know.
This
is
being
used,
notaries
being
used
in
production
by
IBM
and
Red
Hat.
D
So
a
little
odd
to
say
you
know
to
say
things
like
docker
is
not
supporting
it
or
whatever
else,
because
obviously
they're
using
it
in
production,
it's
probably
somewhere
around
80
percent
of
that
it,
the
tough
use
in
the
cloud
is
via
the
notary
project.
So
it's
a
very,
very
widely
used
piece
of
software
that
hasn't
needed
to
change
drastically
and
I
think
that
the
tea
leaves
are
being
misread.
For
that
reason,.
B
Yeah,
so
is
that
maybe
a
statistics
missing
right,
which
is
use
of
the
project
right.
If
you
just
measure
contribution
there
could
be
a
project
that
is
not
used
by
anybody.
Lots
of
contribution
lots
of
churn
going
on
that
doesn't
help
anybody
right,
and
this
is
kind
of
the
opposite
side
of
the
spectrum
where
there
is
a
lot
of
use.
But
you
know
the
project
is
mature
enough
that
you
don't
have
to
have
work
at
the
level
of
churn
right.
There
may
be
ongoing
maintenance
work.
Maybe
there
needs
to
be
a
maintenance
mode.
B
E
So,
ironically,
the
the
person
that
opened
this
was
I
think
he's
from
Red
Hat.
So
we
we
actually
used
the
resize
as
notary
and
but
the
only
thing
that
I
think
there's
some
issues
with
which
I
think
Justin
has
mentioned
that
they're
working
on
fixing
is
kind
of
moving
out.
Some
of
the
enacted
maintenance.
To
make
me
open
me
once
so
currently,
IBM
what
we
do
is
we
actually
maintain
a
limp
address
on
delivery.
E
D
I'm
close
to
the
note,
but
I'm,
not
really
in
the
note,
I
I,
think
that
is
part
of
it.
It's
been
there's
there's
this
sort
of
supply
chain
thing
that
everybody
wants
to
make
sure
works
well,
and
a
lot
of
people
are
viewing
this
as
a
good
opportunity
to
fix
it.
So
I
think
that's
also
made
me
a
notary.
A
little
more
along
with
some
of
the
OCI
stuff
that
was
mentioned,
has
has
made
them
a
little
more
conservative
about
things.
I
would
like
to
see
more
personally.
D
I
would
like
to
see
more
of
IBM's
involvement,
and
you
know
the
the
sort
of
fork.
That's
there
I'd
like
to
see
a
lot
of
those
changes
make
their
way
over
into
notary
personally,
but
I
also,
you
know
I
understand
that
there's
a
bunch
of
different
reasons
and
views,
and
things
like
that
about
how
this
should
all
work.
So,
but
it's
it's
certainly
a
project
that
has
a
lot
of
use,
has
a
lot
of
importance.
That's.
S
D
P
D
You
thank
you
yeah,
but
just
to
finish
my
sentence.
It's
a
project
that
I,
don't
think,
has
a
desperate
need
for
features
from
most
of
the
adopters,
but,
like
I
said,
it
would
in
some
ways
be
nice
to
have
some
of
the
things
that
iBM
has
added,
be
more
widely
available
to
other
adopters,
of
which
there
are
quite
a
few.
If
you
go
to
the
notary
adopters
list
or
the
tough
one
yeah.
E
D
In
my
sense,
we
probably
don't
have
to
do
much
about
it.
I
think
the
thing
that's
really
relevant
here
to
the
security
group
is
I.
Think
we
want
to
be
a
voice
to
perhaps
say
that
that
feature
rate
of
addition
is
not
necessarily
a
great
metric
for
is
this
a
good
security
project,
especially
for
security
right
yeah.
D
C
Spending
so
much
time
aligning
on
spec,
and
you
know
validating
together
that
you
know
we
are
in
fact
you're
producing
something.
That's
secure.
You
know.
Inherently,
the
nature
of
security
projects
means
that
we
we
try
not
to
you
know,
move
things
a
lot,
because
then
that's
how
you
introduce
vulnerabilities.
D
Exactly
yeah,
so
I
think
we
just
as
a
community
should
make
sure
that
that
voice
is
represented
in
meetings,
though
you
know,
if
you
are
on
a
TOC
call
and
no
one
else
speaks
up,
then
this
is
your.
That's
your
moment
to
step
in
and
shine,
and
you
know
say
the
sig
security
party
line,
if
you
so
feel
inclined
to
great.
C
So
you
know
a
couple
things
here,
since
I
tend
to
sort
of
enjoy
the
the
people
in
politics
side
of
things
you
know,
I
would
talk
a
lot
of
this
up
to
you
know
collectively
in
the
CN
CF
you
know
we
have
rocket
and
other
projects
that
you
know
we're
evaluating
for
archival.
You
know
we've
been
struggling
with
it.
You
know
extensive
backlog
of
projects,
and
you
know
this
is
probably
just
caught
in
the
net
of
folks.
C
Looking
at
you
know
what's
out
there
and
you
know
poking
at
it
so
I
don't
know
that
we
necessarily
need
to
to
read
too
much
into
the
fact
that
this
was
called
out,
but
I
do
think
it's
a
great
opportunity
to
do.
As
Justin
said
you
know
emphasize.
You
know
our
support
for
this
project
and
in
general
for
the
the
the
fact
that
that
good
security
projects
are
going
to
be
less
churning.
F
One
one
thing
I'll
add
to
that
is
I
mean
I.
As
for
as
notary
is
concerned,
I
agree
with
the
general
sentiment
that
it
is
a
use
project,
so
it
should
be
which
should
be
cared
for,
but
generalizing
that
security
projects
in
general
will
help
slow
churn
might
be
incorrect
in
the
future.
I
think
more
and
more
it's
going
to
be
the
faster
you
do
patches
and
faster.
F
A
F
A
I
think
that
actually,
if
this
might
be
an
opportunity
for
us,
it's
come
up,
I
couldn't
I
did
some,
maybe
Brandon
or
somebody
else
can
spot
or
Robert.
If
it's
on
the
call,
we
had
some
different
github
issues
where
people
have
recommended
that
we
have
like
guidelines
as
say
like
security
guidelines,
and
maybe
this
is
like
the
first
one
right
they're
like
well.
Maybe
those
will
come
out
of
the
assessment
and
you
sort
of
were
reluctant
to
just
have
that
be
like
yeah.
Let's
just
come
up
with
a
bunch
of
security
guidelines.
A
Out
of
you
know
thin
air
and
there's
a
lot
of
prior
work
here,
but
maybe
we
could
come
up
with
like
like
write
this
down.
We
have
our
cloud
native
security
philosophy.
Right
and
part
of
that
philosophy
is
that
you
know
like
metrics,
like
that
one
should
be
thoughtful
about
metrics
and
that
sometimes
that
change
volume
of
change
is
not
an
indicator
of
success.
A
A
You
know,
like
frequency
of
chain
rate
of
change,
may
or
may
not
be
correlated
with
Awesomeness
and
if
we
could
like,
maybe
we
can
capture
these
things
and
then,
if
something
like
this
were
to
happen
again,
we
can
just
like
link
to
it,
and
then
we
don't
have
to
be
as
much
on
the
I
out,
because
everybody
will
know.
This
is
our
stance
as
a
sig
and
we
can
like
just
you
know,
write
it
up
as
a
simple
statement
and
then
maybe
over
time.
If
there
we
have
a
few
of
them
great.
C
You
know
which,
which
ties
into
you
know
where
I
wanted
to
go
with
with
this
particular
issue
and
see
if
we
could
drive
it
to
closure.
You
know
one
is.
This:
is
a
proposal
to
archive
a
project
that
you
know
we
care
about?
They
have
folks
that
are
involved
in,
but
we
actually
don't
have.
You
know
an
explicit
say
in
the
archival
of
so
like
one
of
the
the
actions
that
you
know
we
can
take
is
there's.
C
You
know
that
we
recommend
no
action
if
that
was
tied
to
a
more
formal
PR
and
a
statement
that
we're
having.
Maybe
as
a
component
that
we'd
like
to
include
in
the
white
paper
JJ,
then
you
know
that
could
be
really
compelling,
and
you
know
if
I
don't
know.
If
we
need
to
extend
you
know
what
we
do
with
this
particular
PR
to
another
repo.
That's
my
open
question:
where
would
we
sort
of.
F
A
J
One
of
the
other
topics-
supply
chain
security
and
putting
additional
focus
as
a
sig
on
supply,
chain
security
and
potentially,
how
we
could
use
in
toto
and
notary,
perhaps
provide
some
guidance
on
how
they
be
used.
In
addition
to
we
shouldn't
archive
it
perhaps,
but
this
is
why
we
shouldn't
archive
it.
This
is
where
it's
used.
This
is
how
important
it
is
to
the
SDLC
in
supply
chain.
Security,
never
end
in
total.
C
Yeah
I
think
I
would
definitely
like
to
see
that
I
think
the
next
topic
on
the
agenda
may
be
related.
You
know
with
regard
to
recusing
oneself,
and
you
know,
since
we
do
have
members
of
that
project,
you
know
represented
here
and
key
responsibilities.
You
know
we
need
to
make
sure
we
we
balance
that
right,
but
you
know
definitely
be
a
project
that
we've
supported
in
their
lifecycle,
and
you
know
want
us
I
want
us
to
continue
to
support
that
and
make
sure
that
you
know
we're
helping
the
best
way
for
us
to
do
that.
C
H
Regarding
real-world
usage,
this
because
I
together
say
the
more
click
on
three
yet
is
it
somehow
monitored
by
maintainer
for
outdated
dependencies
vulnerabilities,
or
maybe
it's
part
of
like
a
I,
don't
know
phasing
community
Google
is
doing
for
some
open
source
projects
if
it
is
maybe
this
is
one
of
the
cases
to
like
keep
it
okay.
This
is
still
keeping
a
high
quality
of
cold
and
high
standard
QA
general.
D
We
do
this
for
tough
and
we
do
it
for
in
toto
I.
Don't
recall
what
tooling
like
how
how
the
notary
folks
handle
this
I
just
know.
We
get
blasted
a
lot
and
I
tend
to
tune
this
out.
I
think
that
would
be
a
good
question
like
I.
If
I
were
you've,
just
pinged
Justin
Cormack
on
slack
and
ask
him
but
I,
don't
know
the
answer
offhand.
A
Okay,
maybe
we
should
shift
to
the
next
topic,
because
some
so
that
we
have
ten
minutes
for
it,
because
I
think
this
has
been
a
good
conversation
and
I
think
the
other
than
potentially
making
a
PR
which,
if
somebody's
inspired
to
summarize
our
philosophy
to
the
repo
I,
don't
think
we
have
more.
To
do
honest
right.
C
Yeah
I'd,
like
to
you,
know,
drive
that
since
the
you
know,
big
big
context,
security
discussion,
I'd
love
to
you
know
not
just
leave
it
hanging
so
JJ.
If
you
can
take
an
action
to
you,
know
PR
something
in
and
then
we'll
follow
up
next
week
with
you
know
in
action
to
to
carry
it
through
to
you
know
a
PR
on
another
result:
extra
repo,
okay,.
C
E
Let
me
share
my
screen,
so
we
talked
the
ball
back
I.
Think
about
complimentary.
This
issue
open
and
I
finally
got
around
into
writing
something
for
it.
E
So
I've
added
a
section
of
conflict
of
interest
to
the
security
review
guide
and
basically,
what
I've
done
is
so
I
bought
some
language
from
Sara's
contribution
for
the
TOC
to
basically
talk
about
why
we
need
this
quartic
of
Interest
consideration
and
I've
taken
a
initial
draft
of
what
the
conflict
of
interest
should
look
like
so
I
kind
of
classified
it
into
two
types
of
conflicts.
One
would
be
hard
conflicts
and
soft
conflicts.
How
complex
would
mean
that
the
reviewer
would
not
be
able
to
review
this
project
at
all
and
solve
conflicts
will
be.
E
The
reviewer
will
not
be
able
to
be
a
project
lead
for
the
review,
but
will
be
able
to
be
a
regular
reviewer.
So
right
now
what
I
have
here
is
you
know
it's?
How
completely
fear
the
maintaining
of
the
project
or
your
direct
report
up
and
down
of
a
meeting
of
the
project
being
paid
to
work
on
the
project
and
then
for
soft
conflicts?
This
seems
we
are
for
discussion,
so.
E
Over
here,
what
I've
written
down
is
things
like
if
you're
not
necessarily
working
on
the
project,
but
it's
under
the
same
company,
or
maybe
you
use
the
project
in
your
deployments
and
so
on,
but
you
and
that's
already
working
on
that
or
if
you're
friends
with
maintenance
and
so
on.
So
the
idea
here
really
was
to
make
sure
we
don't
exclude
too
many
people
from
being
able
to
do.
E
E
D
Think
you
ask
the
reviewers
to
make
it
clear:
I
mean
that
that's
effectively
what
we
do
in
academia
is.
We
have
to
also
say
things
in
addition
to
who
we
published
with,
or
things
like
that
that
are
measurable.
We
also
have
to
say:
oh
yeah,
I
I
have
a
close
personal
relationship
with
this
person
because
they
were
my
office,
mate
or
I
roomed
with
them
in
grad
school
or
you
know,
I
I
hate
their
guts
and
so
I
can't
be
impartial.
D
Can
you
scroll
down
because
I
think
there's
one
that
I
think
the
personal
financial
interest?
That's
direct
I,
don't
mean,
like
you
invested
in
like
the
Dow
Jones,
Industrial
Average
and
the
company
is
a
listed
company.
There
I
mean,
if
you
you
know,
if
you're
somebody
who
like
owns
a
bunch
of
stock
in
a
company
or
you
were
you're,
you
know
in
something
in
some
role
like
that
that
I
feel
starts
to
maybe
cross
a
line.
E
A
In
that
particular
instance,
I
know
like
I
was
saying:
I
wouldn't
have
thought
of
it
and
being
a
conflict
of
interest
right.
You
know,
but,
and
that's
where
you
know
the
CNC
F
is
working
really
hard
to
have
the
projects.
You
know
there's
been
discussion,
the
TOC
about
the
it's
not
like
they're
real
open-source
projects
like
the
aspiration
is
that
every
project
is
a
real
open-source
project
that
is
not
controlled
by
a
company
right,
and
so,
if
we
believe
that's
true,
then
just
because
you
have
a
financial
interest
in
the
company.
A
It
does
seem
like
a
little
much
because
most
people,
like
maybe
say
if
it's
a
public
company
it
doesn't
matter
above
a
private
company,
then
if
you
own
over
X
percent,
like
I,
think
there's
a
there's,
a
standard
that
people
use
for
like
if
you
own
more
than
ten
or
ten
percent
of
private,
the
private
company
right
that
that's
a
trick
figure
right.
So
we
should
it's
easier.
If
you
don't
like
Google.
B
B
In
case
people
don't
know,
but
the
you
know
one
of
these
smaller
open-source
projects
where
it's
a
company
that
is
funded
on
supporting
this
open-source
project
and
you
have
stock
in
that
company
and
you,
you
know,
fail
to
disclose
a
security
problem
because
of
that
because
it
would
tank
the
company
I,
think
that
is
a
harder
thing.
It
probably
also
violates
various
financial
guidelines
right.
So
we
don't
have
to
worry
about
that
too
much.
It's
inside
our
trading.
It
right.
A
B
P
Think
it
we
we
didn't,
we
don't
have
week,
we
can't
figure
out
all
the
possible
situations
and
what
I
think
is
maybe
just
straight
say
we
can
write
clearly
for
some
situations
when
there
is
a
problem.
But
besides
that,
just
right.
It's
clearly
that
it
would
be
discussed
case
by
case
I.
Don't
think
it's
a
good
idea
to
rather
to
write
every
every
single
situation
in
this
paper.
P
E
A
You
know
like
just
overburdening
other
people,
because
Brandon
was
all
willing
to
do
it
and
to
like
just
sort
of
you
know,
would
the
service
working
group
or
like
with
some
other
chair,
make
a
different
assessment,
and
here
am
I,
like
you
know,
like
Brandon's
done
some
work
on
this
and
it
you
know,
I
mean
like
just
sort
of
arbitrary
I.
Don't
want
to
be
making
arbitrary
judgments
here,
and
neither
do
I
want
to
be
like
having
a
big
meeting
about
it
and
generally,
this
group
I
think
wisely.
A
Just
is
like
well
when
there's
doubt,
let's
just
not,
but
then
that
can
just
like
slow
us
down
in
stupid
ways.
So
that
was
really
the
genesis
of
this
like.
Let's
just
write
it
down
so
that
most
of
the
time
we
could
just
be
like
okay
check
we're
just
following
the
rules.
Cuz
like
we
just
wanna,
do
the
right
thing.
I
would.
B
B
D
C
Yeah
and
and
I'm
very
happy
with
the
direction
here.
The
only
the
only
thing
I
wanted
to
call
out
is
simply:
we
don't
have
a
process
proposed
yet
for
how
we
would
handle
a
an
exception
where
you
know
someone,
maybe
as
a
soft
conflict
of
interest,
and
you
know
we
wanted
to
sort
of
collectively.
You
know
recognize.
You
know,
yes,
that
that
is
a
known,
but
you
know
given
some
extenuating
circumstance,
it
is.
You
know,
in
the
group's
best
interest
that
we
move
things
forward
and
you
know
attach
additional
scrutiny
to
the
effort.
Well,.
A
I
think
it's
I
think
maybe
Brendan
can
just
clarify
here,
but
I
think
the
intent
is
like.
If
so,
we
could
just
say
that
the
soft
conflicts
we
right
now
we're
saying
it
can
be
documented.
But
maybe
we
say
that
after
the
review
of
team
is
determined
and
these
things
are
declared,
then
one
of
the
chairs
says
okay
approve
and
we're
always
bought.
The
chairs
are
responsible
for
talking
to
each
other
and
you
know
and
getting
feedback
from
the
group
or
the
TOC.
If,
like
we
feel
like
the
guidelines,
aren't
clear
something:
yeah.